In-flight Wi-Fi might open hatch to commercial aircraft hackers
Researchers raise awareness that security flaws could leave systems vulnerable to mid-air tampering
By Roger Yu, ThirdCertainty
It’s chilling to think about the possibility of a cybersecurity breach occurring while in flight.
The enclosed cabin. Heavy wiring of electronics. Flying 30,000 feet above ground.
But apart from a few episodes not fully explained, in-flight electronics have been largely spared from cyber attacks.
Still, a few hack-savvy travelers have been poking around for vulnerabilities in their in-flight Wi-Fi and entertainment systems.
In 2015, a hacker bragged on Twitter that he managed to make a plane he was on climb and move “sideways” after cracking into its in-flight entertainment system, according to an FBI affidavit. The hacker, Chris Roberts, told the FBI that he accessed planes’ computer systems by attaching an ethernet cable to the electronic box placed in some seats.
Ruben Santamarta, principal security consultant at cybersecurity service firm IOActive, also was curious.
During a flight from Warsaw, Poland, to Dubai, United Arab Emirates, two years ago, Santamarta toyed with the in-flight entertainment system and discovered unprotected computer software code.
Proprietary information exposed
Using the visible code, Santamarta went online and found that the system’s firmware updates for multiple major airlines, containing code lines and “binaries,” were publicly available. “There were hundreds of files. And I didn’t download all of them,” he says. “Airlines decide to customize their systems for their own needs. So in a way, they’re exposing something that may be considered intellectual property.”
The discovery prompted IOActive to conduct broader research about the company that produced the in-flight system, Panasonic Avionics. Late last year, IOActive revealed the findings publicly, concluding that the security vulnerabilities in Panasonic Avionics’ in-flight entertainment system, used by a number of major airlines, could allow hackers to take over in-flight displays and, “in some instances, potentially access their credit card information.”
These computer code lines also often contain “entry points” that may give a hacker access to sensitive information within a wider network. A hacker intruding on the wider network and rewriting codes potentially could gain control of what passengers experience during the flight, including possibly manipulating altitude or speed information and interactive map routes, seizing PA systems and lighting controls, as well as capturing credit card details available in airlines’ frequent-flier membership data, IOActive says.
“You can use the code and info to look for vulnerabilities,” Santamarta says. “We aren’t (talking about) bringing down the plane but … you can create discomfort. You never know how passengers are going to react to these kinds of situations.”
Panasonic Avionics panned IOActive’s findings. The report contains “a number of inaccurate and misleading statements about Panasonic’s systems,” the company said in a statement. “These misstatements and inaccuracies call into question many of the assertions made by IOActive.”
Clampdown on access
Panasonic removed public access to the firmware update listings directory, Santamarta says. “You can’t browse all those files anymore,” he says. “In their statement, they said they fixed it. We don’t have any reason to doubt those claims.”
Currently, in-flight entertainment systems generally are separated from cockpit systems. But they have been integrated with products from multiple vendors and varying technology standards, an attractive scenario for hackers. In-flight Wi-Fi and mobile devices also have made aircraft electronics even more complex in recent years.
Meanwhile, the Federal Aviation Administration is in the midst of modernizing air traffic control, which now uses radar. Its Next Generation Air Transportation System, or NextGen, would rely on GPS and the internet, triggering serious worries among cybersecurity experts and industry officials.
A survey last year by PricewaterhouseCoopers says 85 percent of airline CEOs expressed concern about cybersecurity risk vs. 61 percent of CEOs in other industries.
Better safe than sorry
The study recommends that airlines take proactive steps to minimize threats by improving customer notification tools and collecting forensic data to identify security weaknesses.
Santamarta says his firm published its research about Panasonic because “we’re always trying to raise awareness of a specific area.”
“We may have a success situation here since the awareness level is raised. The pilots are taking these issues seriously. It’s better to improve security while we can rather than waiting until something happens.”
More stories related to security attacks:
Does your airline really understand and provide data security?
More organizations find security awareness training is becoming a vital security tool
Targeted attacks on industrial control systems surge